eBay Hack

On May 21, 2014, eBay reported that it had discovered its systems had been breached two weeks earlier and that all of their 145 million users had PII stolen from them. The reason given for the delay in announcing the breach was that eBay initially believed the user data was safe.

As it turned out, the data stolen included passwords, full names, addresses, Social Security numbers but no credit card or other financial information was said to have been breached, because user and financial data are kept separately.

It was believed the actual attack began months earlier in late February early March.

The stolen passwords were said to be encrypted with a “proprietary hashing and salting technology.” [Editor’s Note: Proprietary means that the technology can’t be evaluated for strength by leaders in the industry. In other words, it’s “suspect” encryption.]

As a result of the theft, eBay requested that all of its users change their passwords, and worked to implement a system that required users to change their passwords when they next logged in.

Although eBay never officially released its findings behind how the hack was perpetrated, they did reveal that three corporate employees had their login credentials compromised, which led to the breach. Because of this explanation many have speculated that it was the result of a phishing campaign, although since the hack XSS vulnerabilities and website weaknesses revolving around their “forgot password” mechanism were discovered on eBay’s site.

Interesting Facts:

It is believed that 80% of encrypted passwords can be broken by brute force means within 48 hours.